Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0538 -- [UNIX/Linux][Debian] New curl and libcurl packages fix certificate handling 19 July 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: curl 7.16.3 and prior libcurl 7.16.3 and prior Publisher: Debian Operating System: UNIX variants (UNIX, Linux, OSX) Impact: Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2007-3564 Original Bulletin: http://www.debian.org/security/2007/dsa-1333 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libcurl or curl check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1333 security@debian.org http://www.debian.org/security/ Steve Kemp July 18th, 2007 - - ------------------------------------------------------------------------ Package : libcurl3-gnutls Vulnerability : input validation Problem type : local and remote Debian-specific: no CVE Id(s) : CVE-2007-3564 It has been discovered that the GnuTLS certificate verification methods implemented in libcurl-gnutls, a solid, usable, and portable multi-protocol file transfer library, did not check for expired or invalid dates. For the stable distribution (etch), this problem has been fixed in version 7.15.5-1etch1. We recommend that you upgrade your libcurl3-gnutls package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - -------------------------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1.dsc Size/MD5 checksum: 948 1eacdb0c127ad12b860033f743563df8 http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5.orig.tar.gz Size/MD5 checksum: 1897973 61997c0d852d38c3a85b445f4fc02892 http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1.diff.gz Size/MD5 checksum: 19029 cbd30d40f3026e020182e665a7f5d5be Architecture independent packages: http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.15.5-1etch1_all.deb Size/MD5 checksum: 22198 b6b9a429b9ae513c5e0c8472c6509907 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_alpha.deb Size/MD5 checksum: 811542 dbc6cd819cff1b717c46e11caa1dd331 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_alpha.deb Size/MD5 checksum: 815608 03e1eb1961a7e58e82e4ac2380aa8c8a http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_alpha.deb Size/MD5 checksum: 181660 30c703c8b17a42b63d2fbe575bafe562 http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_alpha.deb Size/MD5 checksum: 823850 23eb2600b1da596a04bfd5043effc13d http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_alpha.deb Size/MD5 checksum: 166814 7a9f90444bd58d38c9452a44ff71ea98 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_alpha.deb Size/MD5 checksum: 175316 0167fc5805b8f8c363165dff64dafe98 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_amd64.deb Size/MD5 checksum: 772978 675235b32ac91f3b91f86ee28e70d1e2 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_amd64.deb Size/MD5 checksum: 824246 a0547976a45ee4d4be2c43b179459404 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_amd64.deb Size/MD5 checksum: 767648 4852d415582c564eb50cb9f8cbc677f7 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_amd64.deb Size/MD5 checksum: 170008 ff8b0b14022f291265324243579abf2d http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_amd64.deb Size/MD5 checksum: 164638 ae44174a768af4786637cb6292800b21 http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_amd64.deb Size/MD5 checksum: 163440 c7410d7b8efc16abf1e138c1bb7a5712 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_arm.deb Size/MD5 checksum: 162094 001980ca743312ca37513877ad7d19f6 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_arm.deb Size/MD5 checksum: 164634 436490a717543532135cfaafb4fb4a99 http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_arm.deb Size/MD5 checksum: 757356 3a74f9c27504a758b95dfb6ba5fb96a3 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_arm.deb Size/MD5 checksum: 782328 40e1890d559f3efb927af1d0bc0c8c6e http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_arm.deb Size/MD5 checksum: 750218 82456f7c8a985993fd50eb482f715a70 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_arm.deb Size/MD5 checksum: 159216 183adf1413dc30aab0e80c96e8b07d69 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_hppa.deb Size/MD5 checksum: 164460 cb4b604568f5f67d219f42423a3871e5 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_hppa.deb Size/MD5 checksum: 183728 04b0a53a277f70ca365662ea80956012 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_hppa.deb Size/MD5 checksum: 177964 4e5610dee599cff8118ee190db9a632d http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_hppa.deb Size/MD5 checksum: 792842 1bdbcbc1a90f533c7a4937c61eb07097 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_hppa.deb Size/MD5 checksum: 811428 5028f1eb54b2eae003f97f38b06ee31e http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_hppa.deb Size/MD5 checksum: 786392 41a0d16e111efa9b7693b2ff4b49aae2 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_i386.deb Size/MD5 checksum: 759318 e028af09b03561cf80fba28e667619cc http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_i386.deb Size/MD5 checksum: 797370 61890674b4ca3d63025aec44330d018a http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_i386.deb Size/MD5 checksum: 163196 c4826f28c035963ba7c78bbf02e598fc http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_i386.deb Size/MD5 checksum: 765284 dbb49ba6646ccf3b0545246d221727f6 http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_i386.deb Size/MD5 checksum: 162952 13ee79189c41390d6123d9f2eceb43d6 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_i386.deb Size/MD5 checksum: 168268 abfd5346cf785ff3c3575e0ff5f45fd3 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_ia64.deb Size/MD5 checksum: 217322 60b9e2ed439e2d25efd0a938fed85631 http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_ia64.deb Size/MD5 checksum: 174406 3b2820551a8f73b6d0d2fd618611aa8d http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_ia64.deb Size/MD5 checksum: 847688 3067d35de833b8fc16bcbac066105fab http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_ia64.deb Size/MD5 checksum: 225286 33446e0073372cbf66d2478d931b4c20 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_ia64.deb Size/MD5 checksum: 811428 29c7c73f506b810299b99ec4aa546d23 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_ia64.deb Size/MD5 checksum: 837622 0539dc6328d28d866c60aabcc9a54c77 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_mipsel.deb Size/MD5 checksum: 809808 74fb469f9dede8bc34e48a4a539e4358 http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_mipsel.deb Size/MD5 checksum: 163986 df1acd593c0eeed9a18c3ed8a8a0549e http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_mipsel.deb Size/MD5 checksum: 791042 3608d4164968ecf0eb5761ccfa981efb http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_mipsel.deb Size/MD5 checksum: 783344 5f6956f17a95ffa849c83847ca68125a http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_mipsel.deb Size/MD5 checksum: 165370 2ff41d7e7856497bb33aaf1c42d0cc20 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_mipsel.deb Size/MD5 checksum: 170278 8d0e09a0bdaf30cd225e59d381c6966a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_powerpc.deb Size/MD5 checksum: 165070 a2a95f8b931dd24659e6c17ae6de57e0 http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_powerpc.deb Size/MD5 checksum: 840286 670575e9107d1665d0123d5b034b09c3 http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_powerpc.deb Size/MD5 checksum: 780710 f63c169d7ac0a594415ce06fc554d03a http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_powerpc.deb Size/MD5 checksum: 173628 2ef64672347d6ec0f710bfc3c68fb188 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_powerpc.deb Size/MD5 checksum: 168912 2b05b6937b6c6bb567e9d77dc1d13ea2 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_powerpc.deb Size/MD5 checksum: 773612 4292b8d1c968c17817ccd36149ddbc20 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_s390.deb Size/MD5 checksum: 835496 199f0660bb88bf2b5f8572209c4bbcaa http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_s390.deb Size/MD5 checksum: 163122 4c84c66f773accf9da6e6585edcedcc7 http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_s390.deb Size/MD5 checksum: 773100 10a17910d3a30b7de38a138fd6c3e299 http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_s390.deb Size/MD5 checksum: 179504 e83ac479b8e9c5011e28db1f4d58fa14 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_s390.deb Size/MD5 checksum: 768068 67cbdd360ed1dbb80824bb6738787c95 http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_s390.deb Size/MD5 checksum: 172214 c187f5108f5a977f08abf0b4e37471e0 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch1_sparc.deb Size/MD5 checksum: 165032 18e35286ceb1129fbbe7fa1be094c59d http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch1_sparc.deb Size/MD5 checksum: 758474 e5f75c8f4491dd628fa9005e4dfc5cbb http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch1_sparc.deb Size/MD5 checksum: 159890 69c90d7c3aaa79021cfa2ee5ca0c8ca7 http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch1_sparc.deb Size/MD5 checksum: 162360 de5df99405d29124dcd4b70e3aa60bf7 http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch1_sparc.deb Size/MD5 checksum: 765156 963dd337e581b69c4663ade85a44755d http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch1_sparc.deb Size/MD5 checksum: 787450 2ed6fb01f7babf43d9bf04aac8ed79d5 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGnnLYwM/Gs81MDZ0RAqEMAJ9SVwtkRq4InvjE1WxoZhNuNuBBMwCfTYFF UsgKwdu++50iJM4A+60bNxs= =ncFi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRp7M6Ch9+71yA2DNAQKhmQP/RvaYVNlO8oEzhFdRqnMCwmVMMVjVrrt3 7F0q0sZ+DDSW1Sid59cq70EZ6QCKfCBwzvutZMOxsvTmoODh2uja5oTFCVvNSRdN X2wydwBt0JkIBhOBwyIoRkBWtb6ac3HG8clFgVKnWVDKT7Vo9kGGnlQUJD55hwfK qUoaJ7L8Ds0= =1SOh -----END PGP SIGNATURE-----